Secure server authentication and browsing

ABSTRACT

Methods of authenticating a content-provider server by a server are provided. One method comprises determining a domain name of the content-provider server; obtaining a fragment of a database of IP addresses, the fragment corresponding to the domain name of the content-provider server and storing one or more IP addresses associated with the domain name; comparing the IP address of the content-provider server against the IP addresses of the fragment; and providing an indication that the IP address of the content-provider server is included or excluded from the fragment of IP addresses.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation-in-part of U.S. application Ser. No.11/573,980 entitled SERVER AUTHENTICATION, filed on Feb. 20, 2007, whichis the U.S. national phase of international patent application no.PCT/GB2005/003237, which was filed on Aug. 19, 2005, and which claimspriority to GB0418613.6, filed 20 Aug. 2004, and GB0510803.0, filed 26May 2005, the entireties of which are incorporated herein by reference.

TECHNICAL FIELD

The present invention relates to a method and system for authenticatingservers of content-providers that provide content-data, such as webpagedata, to client computers over a communications network, such as theInternet.

BACKGROUND

As online banking and other transactions of value have increased inpopularity over the Internet, users have been fooled or coerced intorevealing bank account details, passwords and other personal details tounauthorized people who may use this information dishonestly. Thistechnique, often now referred to as “phishing” may be initiated from ane-mail supposedly from a bank or other financial or commercialinstitution, such as an e-trader, sent to an ostensible customer with alink to a website where there is a request to enter personal or bankdetails, passwords or PIN numbers. This website may be an exact copy ofa valid site belonging to the correct financial or commercialinstitution, or may be an entirely valid site of such institution with afraudulent pop-up window that requests details or uses other means todeceive the customer concerned.

Other phishing methods include inserting rogue computer code or objectinto legitimate pages by methods, which include proxy servers, packetmanipulation and installation of software or devices on a clientcomputer. It has also been known for fraudsters to adopt similar URL's(uniform resource locators) to a genuine business to fool people intothinking they are on a legitimate site. For example, the URLOnlinebank.com, with an initial “0” (zero) rather than an initial “0”may be used to deceive people into believing they have reached the siteof Onlinebank.com.

Still further methods include setting up totally fraudulent web sitespretending to be legitimate or non-existent charities or commercialorganizations to fool users into donating monies to or purchasing goodsfrom fraudulent organizations, which have not necessarily been reachedvia invitation from e-mails.

Numerous prior proposals have been made with a view to improvingsecurity on the Internet and avoiding or frustrating phishing, but nonehave been entirely satisfactory.

For example, WO 2004/055632 describes a system in which a complexalgorithm is employed to determine whether a particular URL may betrusted or not. This analysis may take account of content and layout ofa web page, age and size of the website and the number of hyperlinks andscores the web page under each of these headings to give a determinationas to whether the web page can likely be trusted or likely not betrusted. On the basis of this analysis, the URL of the web page is addedto a trusted list or a distrusted list maintained by the clientcomputer. Nevertheless, a fraudulent website will often appear as anexact copy of a legitimate site and therefore be added to the list oftrusted sites.

SUMMARY

In a first aspect, the present invention provides a method ofauthenticating a content-provider server comprising: determining adomain name of the content-provider server; obtaining a fragment of adatabase of IP addresses, the fragment corresponding to the domain nameof the content-provider server and storing one or more IP addressesassociated with the domain name; comparing the IP address of thecontent-provider server against the IP addresses of the fragment; andproviding an indication that the IP address of the content-providerserver is included or excluded from the fragment of IP addresses.

Preferably, the fragment is stored on a remote server and obtaining thefragment comprises requesting from the server a copy of the fragment andreceiving from the server a copy of the fragment.

Advantageously, the fragment is stored on the server as a file having afilename that is, unique to the domain name of the content-providerserver and requesting a copy of the fragment from the server comprisesrequesting a file having a filename that is unique to the domain name ofthe content-provider server.

Conveniently, the filename of the fragment is unique to both the domainname of the content-provider server and a domain name of the server onwhich the fragment is stored. Preferably, the filename of the fragmentis encrypted using encryption keys derived from the domain name of thecontent-provider server and the domain name of the server on which thefragment is stored.

Advantageously, the fragment stores one or more authenticated IPaddresses and one or more non-authenticated IP addresses and the methodcomprises providing an indication that the IP address of thecontent-provider server is an Authenticated IP address, anon-authenticated IP address, or neither.

Conveniently, the method comprises: storing a database of authenticatedIP addresses and a database of non-authenticated IP addresses; appendingthe IP addresses of the fragment to at least one of the database ofauthenticated IP addresses and the database of non-authenticated IPaddresses; comparing the IP address of the content-provider serveragainst the database of authenticated IP addresses and the database ofnon-authenticated IP addresses; and providing an indication that the IPaddress of the content-provider server is an authenticated IP address, anon-authenticated IP address, or neither.

Preferably, the method comprises: obtaining a list of non-authenticatedIP addresses from a remote server; and comparing the IP address of thecontent-provider server against the IP addresses of the fragment and thelist of non-authenticated IP addresses.

Advantageously, the method comprises: storing a database ofauthenticated IP addresses and a database of non-authenticated IPaddresses; appending the IP addresses of the fragment to at least one ofthe database of authenticated IP addresses and the database ofnon-authenticated IP addresses; appending the list of non-authenticatedIP addresses to the database of non-authenticated IP addresses;comparing the IP address of the content-provider server against thedatabase of authenticated IP addresses and the database ofnon-authenticated IP addresses; and providing an indication that the IPaddress of the content provider server is an authenticated IP address, anon-authenticated IP address, or neither.

Conveniently, the content-provider server has a hostname and the methodcomprises: obtaining first data from the hostname; resolving the IPaddress of the hostname; obtaining second data from the resolved IPaddress; comparing the first data and second data; and providing anindication that the first data and second data are identical ornon-identical.

Preferably, the fragment includes one or more URLs or portions of URLsassociated with each IP address stored by the fragment, and the methodcomprises: comparing at least a portion of the URL of thecontent-provider server against the URLs or portions of URLs of thefragment that are associated with the IP address of the content-providerserver; and providing an indication that the IP address and the portionof the URL of the content-provider server is included in or excludedfrom the fragment.

In a second aspect, the present invention provides a client computerconnectable to a content-provider server over a communications network,wherein the client computer is operable to: determine a domain name ofthe content-provider server; obtain a fragment of a database of IPaddresses, the fragment corresponding to the domain name of the contentprovider server and storing one or more IP addresses associated with thedomain name; compare the IP address of the content-provider serveragainst the IP addresses of the fragment; and provide an indication thatthe IP address of the content-provider server is included or excludedfrom the IP addresses of the fragment.

Preferably, the client computer is operable to request data from thecontent-provider server and to obtain the fragment in response to therequest for data from the content-provider server.

Advantageously, the client computer is operable to: request data fromthe content-provider server; determine whether data from thecontent-provider server has previously been requested; and to obtain thefragment if data from the content-provider has not previously beenrequested.

Conveniently, the client computer is operable to retrieve the fragmentfrom a server over the communications network, and the fragment isstored on the server as a file having a filename that is unique to thedomain name of the content-provider server.

Preferably, the fragment is stored on a security server.

More preferably, the client computer is operable to determine whetherthe fragment of IP addresses stored on the server has changed and toretrieve from the server the fragment if it is determined that thefragment has changed.

Advantageously, the filename of the fragment is unique to both thedomain name of the content-provider server and a domain name of theserver on which the fragment is stored.

Conveniently, the filename of the fragment is encrypted using encryptionkeys derived from the domain name of the content-provider server and thedomain name of the server on which the fragment is stored.

Preferably, the fragment stores one or more authenticated IP addressesand one or more non-authenticated IP addresses and the client computeris operable to provide an indication that the IP address of thecontent-provider server is an authenticated IP address, anon-authenticated IP address, or neither.

Advantageously, the client computer stores a database of authenticatedIP addresses and a database of non-authenticated IP addresses, and theclient computer is operable to: append the IP addresses of the fragmentto at least one of the database of authenticated IP addresses anddatabase of non-authenticated IP addresses; compare the IP address ofthe content-provider server against the database of authenticated IPaddresses and the database of non-authenticated IP addresses; andprovide an indication that the IP address of the content-provider serveris an authenticated IP address, a non-authenticated IP address, orneither.

Conveniently, the client computer is connectable to a security serverover the communications network, and the client computer is operable toobtain a list of non-authenticated IP addresses from the security serverand to the compare the IP address of the content-provider server againstthe IP addresses of the fragment and the list of non-authenticated IPaddresses.

Preferably, the client computer stores a database of authenticated IPaddresses and a database of non-authenticated IP addresses, and theclient “computer is operable to: append the IP addresses of the fragmentto at least one of the database of authenticated IP addresses anddatabase of non-authenticated IP addresses; append the list ofnon-authenticated IP addresses to the database of non-authenticated IPaddresses; compare the IP address of the content-provider server againstthe database of authenticated IP addresses and the database ofnon-authenticated IP addresses; and provide an indication that the IPaddress of the content-provider server is an authenticated IP address, anon-authenticated IP address, or neither.

Advantageously, the client computer is operable to: obtain data from thecontent-provider server that includes a link to a furthercontent-provider server; compare the IP address of the furthercontent-provider server against the IP addresses of the fragment, andprovide an indication that the IP address of the furthercontent-provider server is included or excluded from the receiveddatabase of IP addresses.

Conveniently, the content-provider server has a hostname and the clientcomputer is operable to: obtain first data from the hostname; resolvethe IP address of the hostname; obtain second data from the resolved IPaddress; compare the first data and second data; and provide anindication that the first data and second data are identical ornon-identical.

Preferably, the fragment includes one or more URLs or portions of URLsassociated with each IP address stored by the fragment, and the clientcomputer is further operable to: compare at least a portion of the URLof the content-provider server against the URLs or portions of URLs ofthe fragment that are associated with the IP address of thecontent-provider server; and provide an indication that the IP addressand the portion of the URL of the content-provider server is included inor excluded from the fragment.

Preferably, the fragment stores IP addresses associated with a URL.

Advantageously, the client computer is operable to provide a visualindication that the content-provider server is a trusted or non-trustedsite.

Conveniently, the client computer operates a window-based operatingsystem and the client computer is operable to determine whether anactive window of the operating system is executing an applicationcapable of requesting data from the content-provider server, and theclient computer is operable to compare the IP address of thecontent-provider server and to provide an indication that the IP addressof the content-provider server is included or excluded from the IPaddresses of the fragment if it is determined that an active window isexecuting an application capable of requesting data from acontent-provider server.

In a third aspect, the present invention provides a method of operatinga client computer connectable to a content-provider server over acommunications network, the method comprising: determining a domain nameof the content-provider server; obtaining a fragment of a database of IPaddresses, the fragment corresponding to the domain name of thecontent-provider server and storing one or more IP addresses associatedwith the domain name; comparing the IP address of the content-providerserver against the IP addresses of the fragment; and providing anindication that the IP address of the content-provider server isincluded or excluded from the IP addresses of the fragment.

In a fourth aspect, the present invention provides a computer program orsuite of computer programs, which may be provided on a computer-readablestorage medium, executable by a client computer to perform the abovemethod.

In a fifth aspect, the present invention provides a security serverconnectable to a client computer over a communications network, thesecurity server storing a database of IP addresses as a plurality offragments, each fragment corresponding to a domain name and storing IPaddresses associated with the domain name, and the security server isoperable to receive a request from the client computer for a fragment,and to deliver the requested fragment to the client computer.

Preferably, the security server stores each fragment as a file having afilename that is unique to the domain name to which the fragmentcorresponds, and the security server is operable to receive a requestfrom the client computer for a fragment having a particular filename,and to deliver the fragment having the particular filename to the clientcomputer.

Advantageously, the filename of the fragment is unique to both thedomain name to which the fragment corresponds and to a domain name ofthe security server on which the fragment is stored.

Conveniently, the filename of the fragment is encrypted using encryptionkeys derived from the domain name to which the fragment corresponds andthe domain name of the server on which the fragment is stored.

Preferably, the security server is connectable to a content-providerserver over the communications network and the security server isoperable to: receive one or more IP addresses from the content-providerserver; and store the received IP addresses as a fragment, the fragmentcorresponding to a domain name of the content-provider server.

Advantageously, the security server stores a database of authenticatedIP addresses and a database of non-authenticated IP addresses as aplurality of fragments.

Conveniently, the security server stores a database of authenticated IPaddress as a plurality of fragments, each fragment corresponding to adomain name and storing authenticated IP addresses associated with thedomain name, and a database of non-authenticated IP addresses, and thesecurity server is operable to: receive a request from the clientcomputer for a fragment of the database of authenticated IP addresses;deliver the requested fragment to the client computer; receive a requestfrom the client computer for the database of non-authenticated IPaddresses; and deliver the database of non-authenticated IP addresses tothe client computer.

Preferably, the security server is operable to receive a request fromthe client computer that includes information identifying a domain nameof a content-provider server, and to deliver to the client computer afragment corresponding to the identified domain name.

Advantageously, each fragment stores IP addresses associated with a URL.

In a sixth aspect, the present invention provides a method of operatinga security server connected to a client computer over a communicationsnetwork, the method comprising: storing a database of IP addresses as aplurality of fragments, each fragment corresponding to a domain name andstoring IP addresses associated with the domain name; receiving arequest from the client computer for a fragment; and delivering therequested fragment to the client computer.

In a seventh aspect, the present invention provides a computer programor suite of computer programs, which may be provided on acomputer-readable storage medium, executable by a server computer toperform the above method.

In an eighth aspect, the present invention provides a client computerconnectable to a content-provider server and to a security server over acommunications network, the security server storing a database of IPaddresses as a plurality of fragments, each fragment corresponding to adomain name and storing IP addresses associated with the domain name,and the client computer is operable to: determine the domain name of thecontent-provider server; obtain from the security server a fragment ofthe database of IP addresses corresponding to the domain name of thecontent-provider server; compare the IP address of the content-providerserver against the received fragment of IP addresses; and provide anindication that the IP address of the content-provider server isincluded or excluded from the received fragment of IP addresses.

The term ‘window-based operating system’ as used herein is intended toencompass any operating system that makes use of windows in a graphicdisplay, usually only one such window being active at anyone time, andsometimes only one such window being visible on a graphic display atanyone time. Examples of window-based operating systems includeMicrosoft Windows®, the various Macintosh® operating systems, as well asa variety of other window-based operating systems employed by varioushand-held computer devices and third and higher generation mobilephones.

Highly sophisticated fraudsters have been known to engage in what isknown as “IP address spoofing”. In this case, even when a webpage issent to the client computer and the IP address has been checked and maybe found to be an authenticated IP address, it may still be possible fora fraudulent site to have produced it. This is because it is possible toconfigure a web server to send information that appears to emanate froma different IP address to the one it actually comes from. However, thispossibility can be readily overcome. If the apparently authenticated IPaddress is sent in substitution for the hostname or domain-name part ofthe URL, the apparently validated IP address can be authenticated forcertain. If the same or similar content-data (e.g. webpage data) isreturned then it follows that the content-data has come from a certainlyauthenticated IP address. If no reply is received or a totally differentreply, then it can readily be surmised that the original content-datadid not originate from the apparently authenticated IP address but froman altogether different fraudulent site. In this case, a danger warningshould be given to override any other indication that might otherwiseseem appropriate.

BRIEF DESCRIPTION OF DRAWINGS

In order that the present invention may be more readily understood,embodiments thereof will now be described, by way of example, withreference to the accompanying drawings in which:

FIG. 1 is a schematic representation of a computer network;

FIG. 2 is a schematic diagram of databases stored on a security serverembodying the present invention;

FIG. 3 is a schematic diagram of a client computer embodying the presentinvention;

FIG. 4 is a logic flow diagram of a method performed by a clientcomputer embodying the present invention;

FIG. 5 shows part of a computer display illustrating an always-on-topstatus window;

FIG. 6 shows part of a computer display illustrating part of the taskbarat the bottom of the computer display;

FIG. 7 is a logic flow diagram of a further method performed by a clientcomputer embodying the present invention; and

FIG. 8 is a schematic diagram of an alternative database stored on asecurity server embodying the present invention.

DETAILED DESCRIPTION

FIG. 1 shows the basic arrangement of a network, such as the Internet,in which a client computer 1 is connected to a plurality ofcontent-provider servers 3 and to a security server 4 over acommunications network 5.

Each content-provider server 3 has at least one IP address and storescontent-data, such as HTML files, Java applets, sound and image files,etc., for downloading by the client computer 1. The present invention isparticularly concerned with content-provider servers 3 that require userauthorization from the client computer 1. For example, thecontent-provider server 3 may be an online bank, and content-datarelating to a particular account holder, such as a statement of account,is provided only upon receipt from the client computer of a username andpassword. Alternatively, the content-provider server may be an onlineshop, whereupon goods may be purchased only upon receipt of thepurchaser's credit or debit card details.

The content-data of a content-provider server 3 is generally accessed byway of a uniform resource locator (URL), e.g.www.onlinebank.com/homellogin.shtml. The URL comprises a hostname and apath or filename, which in the present example are www.onlinebank.com.and ‘/homellong.shtml’ respectively. The hostname comprises a domainname, such as a fully qualified domain name or a sub-domain. URLs and IPaddresses are related but are not directly equivalent to each other.Thus, when a web browser requests content-data from the URLwww.onlinebank.com/homellogin.shtml. a domain name server (ONS) looks upand converts the hostname part of the URL into an IP address, such as207.46.250.222 or whatever the appropriate IP address may be. Owing todomain-name aliasing, different hostnames may point to the same IPaddress. For example, www.onlinebank.co.uk or www.onlinebank.net maypoint to the same IP address as that of www.onlinebank.com. Moreover,stealth redirection means that a user accessing the same URL may beredirected to a different IP address on different occasions, even thoughthe same hostname appears in the URL. Consequently, a user requestingcontent-data from a content-provider server 3, e.g. by entering a URLinto his web browser, is generally unaware of the actual IP address andthus the actual server 3 providing the content-data.

As shown in FIG. 2, the security server 4 stores a database ofnon-authenticated IP addresses 6 and preferably a database ofauthenticated IP addresses 7. Each database 6,7 comprises a list of IPaddresses 8. Additionally, the databases 6,7 may store relatedinformation 9 associated with each of the listed IP addresses, such asthe date on which the IP address was entered or updated in the database,and the level of threat or authenticity associated with the IP address.For example, the IP addresses of a content-provider server 3 that isknown to mimic an online bank may have a high threat level, whilst anonline shop that does not appear to satisfy certain online securityrequirements may have a low threat level. The related-information 9associated with a particular IP address may also include details of theauthority or subscriber that provided the IP address, as well as agraphical image (e.g. logo or animation) or sound clip associated withthe authority or subscriber. Furthermore, the related-information 9 mayinclude one or more links associated with a particular IP address. Forexample, each database 6,7 might store a set of URL links to websitesthat are promoted in response to a user accessing a particularcontent-provider server. Additionally, each database 6,7 might store aset of URL links to other content-provider servers (e.g. websites) thatprovide information about a subscriber, not necessarily provided by thesubscriber, such as company profile, consumer information, creditrating, market analysis, share price, etc. Accordingly, a user ispresented with one or more secure links to content-provider servers thatprovide independent information regarding a particularsubscriber/content-provider.

The database of non-authenticated IP addresses 6 lists IP addresses thathave been identified as fraudulent or potentially insecure, i.e. thedatabase 6 lists IP addresses of content provider servers 3 that are notto be trusted. It is preferred that non-authenticated IP addresses beprovided to the security server 4 by an organization of assured statusand integrity, such as a police authority or other government authorityresponsible for monitoring fraud, a banking authority, or otherauthoritative body outside of the commercial control of the securityprovider responsible for the security server 4.

In a particular embodiment, a single assured organization is responsiblefor maintaining the non-authenticated database 6. The assuredorganization may deliver the entire database 6, or portions of thedatabase 6 that have changed, to the security server 4. Alternatively,the security server 4 may retrieve the entire database 6, or portions ofthe database 6 that have changed, from the assured organization.Delivery or retrieval may occur periodically or whenever a change occursto the database 6.

In an alternative embodiment, several assured organizations areresponsible for maintaining the non-authenticated database 6. In thisinstance, each assured organization provides a portion of thenon-authenticated database 6 stored on the security server 4. Eachportion may be delivered to the security server 4 by the assuredorganization, or the security server 4 may retrieve the portion from theassured organization at periodic intervals.

The database of authenticated IP addresses 7 lists those IP addressesthat have been provided by subscribers to the security server 4. Eachsubscriber is typically a content-provider that wishes to register itsservers on the security server 4. For example, the subscriber may be thecompany OnlineBank, which provides a list of all its IP addresses. Eachsubscriber provides a portion of the authenticated database 6, which maybe delivered to the security server 4 by the assured organization, orthe security server 4 may retrieve the portion from the subscriber atperiodic intervals.

In a particular embodiment, the subscriber may also provide a list of IPaddresses that it regards as untrustworthy and should therefore be addedto the database of non-authenticated IP addresses 6. However,maintenance of the database of non-authenticated IP addresses 6 ispreferably carried out by assured organizations only.

The client computer 1, as illustrated in FIG. 3 comprises a processor 10provided with a window-based operating system, a user-input device 11(such as a keyboard and/or mouse), a visual display unit (VDU) 12, amemory 13 and a modem 14 for transferring data across the communicationsnetwork 5. The client computer 1 may alternatively transfer data acrossthe communications network 5 via a LAN, whereby the client computer 1includes an ethernet card or similar device (not shown) for transferringdata over the LAN, or indeed any other means for transferring data fromthe client computer 1 across the communications network 5.

The client computer 1 preferably includes a web-browser (e.g. as part ofthe operating system or stored separately in memory 13) for receivingcontent-data from the content-provider servers 3. However, anyapplication-software suitable for receiving content-data from acontent-provider server 3 (e.g. a file-browser or e-mail clientoperating in http, https, ftp, or similar protocol) may equally be used.Preferably, the web-browser or application-software is suitable forreceiving user-authorization data from the user-input device 11 and fortransferring the user-authorization data to a content-provider server 3.

The memory 13 stores a server-authentication application 15, which isexecutable by the processor 10. The server-authentication application 15includes instructions for receiving (e.g. downloading) from the securityserver 4 the entire non-authenticated database 6 and preferably theentire authenticated database 7. The server-authentication applicationpreferably provides the user with the opportunity to receive new,updated or refreshed databases 6,7 from the security server 4automatically, periodically without intervention of the user of theclient computer 1, or by connection to the security server 4 atspecified intervals or at times entirely at the option of the user. Thereceived databases are then stored in memory 13. For the purposes ofclarity, the databases stored on the client computer 1 shall be referredto hereafter as the client-database of non-authenticated IP addresses 16(or alternatively the non-authenticated client-database) and theclient-database of authenticated client database 17 (or alternativelythe authenticated client-database).

Referring to FIG. 4, the server-authentication application 15, whenexecuted, additionally checks at 20 whether the active window of thewindows-based operating system has changed. In any window-basedoperating system, there will generally be a single active window on thecomputer's VDU 8, being the window on which various commands (forexample “save”, “print”, etc.) may be initiated by the user-input device11. Other windows may be open at the same time, whether visible on theVDU 12 or hidden behind other windows. The various windows open atanyone time are usually displayed on a task bar or docking bar at anedge (e.g. the bottom) of the graphic display. An authentication checkis performed whenever the active window changes. Thus, in the case of“yes” in the logic flow diagram of FIG. 4, indicating that the activewindow has changed, the server-authentication application 15 checks at21 whether the new active window is a web-browser or other applicationcapable of transferring data across the communications network 5. In themost preferred arrangement, if the active window is not a web-browserthe server-authentication application may show a message 22 such as “nobrowser window active”. In particular arrangements, this feature may beabsent or may be optionally turned off by a user.

However, if the new active window is, indeed, a web-browser or otherapplication capable of transferring data across the communicationnetwork 5, the server-authentication application 15 checks theauthentication of the content-provider server 3 from which theweb-browser is requesting data. This is achieved by first converting at23 the hostname portion of the URL of the content-provider server 3 intoan IP address. There are a number of ways in which this can be done andpersons skilled in this art will be aware of all of these. In thesimplest arrangement, the hostname portion of the URL is converted intoan IP address using a DNS server.

Once the IP address of the content-provider server 3 has been obtained,the IP address is checked 24 against the client-database ofnon-authenticated IP addresses 16 and the client-database ofauthenticated IP addresses 17, if present. If the IP address appears 24a in the client-database of non-authenticated IP addresses 16, a warningis provided 25 on the 30 VDU 12 that the user would be wise to ignoreany content-data (e.g. webpage data) downloaded from the relevantcontent-provider server 3. If the IP address appears 24 b in theclient-database of authenticated IP addresses 17, an indication isprovided 26 that it is fine to proceed. The indication may include avisual logo or other indicia of a content-provider such that the user isable to easily and quickly identify that the content-provider server 3is authentic. If the IP address does not appear in either of theclient-databases 16,17, a cautionary warning is preferably provided 27to the user. Although here shown as visible indications, any of thesewarnings/indications may alternatively or additionally be given audibly.

Visible messages may be conveyed in a variety of different ways.Preferably warnings or cautions are given by means of a status window,such as those shown at 25, 26 and 27 in FIG. 4 (see also FIG. 6 below),that is always on top of any windows that are open on the VDU 12. It isimportant that this status window should be on top so that its reportingcannot be hidden by another window. It always reports on the activewindow, pop-up windows, frame sets, frames or other sub-windows. Theuser cannot interact with a window unless it is active, so that theactive window is always the dominant window that is reported, althoughthe system could also display the status of other open windows (see FIG.5 below) and a history of other opened windows.

An example of a more complex on-top status window is illustrated in FIG.5, which shows part of a webpage 28 that is the active window, its menubars 29 being shown at the top of the display. Always on-top statuswindow 30 is shown on top of the active window 28. Below its title bar31 are icons representing those windows that are open, in this example.In other examples (see for example, FIG. 6 discussed below), only theactive window may have an icon. In the case shown in FIG. 5, the largericon 32 at the left of status box 30, indicating the active window,shows the icon of OnlineBank, a legitimate website. In this examplethree other windows are also open, but are not active. Iconscorresponding to these are shown on a smaller size in the right-handportion of status window 30. Of these, one, 33, shows the icon ofShopOnline, a legitimate site. Of the remaining two window icons, one,34 is suitably depicted in red, this color and the word “warning”indicating that the site corresponding to it appears on theclient-database of non-authentic IP addresses 16. Icon 35 indicates thata fourth window which is open but not active does not appear on eitherof the client-databases of authenticated and non-authenticated IPaddresses 16,17, and is suitably shown in yellow, indicating “Proceedwith caution”.

In this example, if the user clicked on to the window corresponding tothe red “Warning” indication, this would then become the active window,and the system may then run through the steps of the logic flow diagramof FIG. 4. The “Warning” indication will then appear larger on the leftof on-top status window 30, where the OnlineBank icon is shown in FIG.5, the OnlineBank icon being relegated to one of the smaller icons onthe right, if the related OnlineBank window remains open, and an audiblewarning will also be given. Alternatively, since the window concernedwill have been previously checked (hence: its small icon in the righthand part of on-top status window 30 as shown in FIG. 5), theserver-authentication application 13 may take account of this, andproceed as indicated above, but without first rechecking the reactivatedwindow using the logic flow diagram of FIG. 4.

Warning indications may also, or alternatively, be displayed on the taskbar or docking bar at the edge (e.g. bottom) of the display screen, asindicated in FIG. 6. The right hand side of a task bar 36 in a MicrosoftWindows (RTM) operating system controlled computer has a clock 37 and anumber of icons 38 indicating programs that are operating in thebackground. In some cases these icons will change depending upon thestatus of the program concerned. In the present system, as shown in FIG.6, an icon 39 appears on the right hand side of the task bar and changesits status depending upon whether the active window, being a browser,has an IP address that appears in the client-database ofnon-authenticated IP addresses 16, the client-database of authenticatedIP addresses 17 (if present), or in neither client-database. This changeof status can suitably be indicated by changes in color: the icon 39showing green if the IP address appears in the client-database ofauthenticated IP addresses 17, red if the IP address appears in theclient-database of non-authenticated IP addresses 16, and yellow if theIP address appears in neither of the client databases 16, 17. Suitably,an audible warning is also given in either of the latter two cases. Asimilar icon 39 is displayed at the left end of the title bar for theon-top status window, as seen in this Figure and also in the messagesshown at 25, 26 and 27 in FIG. 4, and may also change color in a similarfashion.

By these means the user is at all times informed as to the nature of theactive window of his browser and unless he chooses to ignore thewarnings given, the server-authentication application 15 will help toprevent fraudulent extraction of personal details, such as bankinformation that can be used illegally. It will be appreciated that thesystem also gives assurance to a user, when a particularcontent-provider server 3 is confirmed as having an IP address on theauthenticated client-database 16, the content-data from that server 3(e.g. webpage data) may be trusted.

The server-authentication application 15 may optionally be configured sothat the user can only proceed after a danger warning has been expresslyacknowledged by the user, e.g. by means of an optional warning pop-upwindow which the user has to acknowledge.

Preferably, the server-authentication application 15 determines whetherthe hostname of the URL of the active window relates to acontent-provider server 3 external to a local network, i.e. that thehostname relates to an Internet domain-name and not, for example, to alocal hostname. If the application 15 determines that the hostname ofthe active window relates to a local network, the application 15preferably provides a ‘Local Network’ indication on the VDU 12.Additionally, if the active window is executing an application that isresident on the client computer or if the application of the activewindow is accessing content-data resident on the client computer 1, theserver-authentication application preferably displays ‘Not Analysed’ onthe VDU; an icon or similar graphic, indicating the application that isexecuting in the active window, may also be displayed. Accordingly, theserver-authentication application continually provides a user-indicationof the status of the active window.

The content-data stored on a content-provider server 3 may include alink to content-data stored on another content-provider server having adifferent IP address. For example, webpage data of a firstcontent-provider may include a frame that links to information providedby a second content-provider. A typical example of this is in the use offramed advertisements within a webpage. A fraudster may use the conceptof frames to provide a content-provider server that first links tocontent-data provided by a legitimate site (e.g. a bank) and also tocontent-data provided by a fraudulent site. The content-data of thefraudulent site may appear as a framed advertisement whichsurreptitiously monitors all data traffic between the client computer 1and the legitimate site. Accordingly, a user may be presented with awebpage that is obtained from a legitimate site, and therefore looks andbehaves as a legitimate webpage, whilst the fraudulent frame within thewebpage monitors any user-authorization data entered by the user.Alternatively, a fraudulent site may include a frame to a legitimatesite to show apparent authenticity, or the fraudulent site may include aframe that mimics legitimate content, e.g. the fraudulent site mayinclude a frame that appear as a complete webpage of a legitimate site,although it is in reality a frame.

The server-authentication application 15 therefore preferably resolvesand checks the IP addresses of all hostnames of content-provider serversfrom which content-data is retrieved by the client computer 1. In otherwords, the server-authentication application 15 does not only resolveand check the IP address of the hostname of the URL that appears in theactive window, but also any hostnames that are embedded within thecontent-data retrieved from the URL. For example, if the webpagewww.onlinebank.com/home.html includes a link towww.onlineshop.com/logo.html then the server-authentication application15 resolves and checks the IP addresses of both www.onlinebank.com andwww.onlineshop.com.

It is possible that a subscriber may wish to include within itscontent-data an advertisement from a content-provider that is not asubscriber to the security server 4. In this instance, the IP address ofthe subscriber will appear in the authenticated database 7, but the IPaddress of the advertiser will not. Consequently, when the user visitsthe legitimate site of the subscriber, a warning is neverthelessprovided by the server-authentication application 15. In order toprevent this from occurring, the related information 9 of the databaseof authenticated IP addresses 7 may include IP addresses of third-partyservers that are regarded by the subscriber as legitimate for thepurposes of inclusion within its content-data. The server-authenticationapplication 15 then checks the IP address of the main hostname againstthe list of IP addresses 8 of the authenticated database 17. If the IPaddress is found within the database 17, then any hostnames that areembedded within the content-data retrieved from the main hostname arethen resolved and checked against the third-party IP addresses stored inthe related-information 9.

A content-provider server 3 may store both non-fraudulent and fraudulentcontent-data. In particular, a content-provider server 3 may hostdifferent websites. For example, the content-provider server 3,www.freewebsite.com. may host the website of John,www.freewebsite.com/John/home.html. and the website of Peter,www.freewebsite.com/Peter/home.html. Whilst John provides a legitimatewebsite, the website provided by Peter is a spoof website. Since thehostname of both websites is the same, the resolved IP address of eachwebsite will also be the same. Consequently, both websites are treatedequally by the server-authentication application 15. The legitimatewebsite provided by John may therefore be reported as a fraudulent siteor, alternatively, the spoof site provided by Peter may be reported as alegitimate site. In order to prevent this situation from occurring, thedatabase of non-authenticated IP addresses 6 and the database ofauthenticated IP addresses 7 preferably store not only IP addresses butalso the URL or part of the URL associated with the IP address. Forexample, if the IP address of www.freewebsite.com is 121.202.327.75, thedatabase of non-authenticated IP addresses 6 might store the IP address121.202.327.75 and the path ‘\Peter’ and/or the filename‘\Peter\home.html’, whilst the database of authenticated IP addresses 7might store 121.202.327.75 and ‘\John’ and/or ‘\John\home.html’. Theserver authentication application 15 is then operable to check both theIP address and also at least part of the URL against the correspondingclient-databases 16, 17. Only if both the IP address and at least partof the URL appear in the client-databases 16, 17 is a warning 25 orindication 26 provided.

The database of non-authenticated IP addresses 6, the client-database ofnon-authenticated IP addresses 16, and any fragment 18 may store onlythe domain name, URL or part of a URL of a particular content-providerserver 3. In this case, the IP address of the domain is stored in thedatabase 6,16 or fragment 18 as a series of asterisks (i.e.***.***.***.***) or some other artificial IP address (e.g.999.999.999.999), which the server authentication application 15 uses toidentify a server as having no specific or fixed IP address. Forexample, the website www.falsewebsite.com may change its IP addressfrequently in order to avoid detection. If the IP address of acontent-provider server 3 is not found in the client-S database ofnon-authenticated IP addresses 16, the domain name, URL or part URL ofthe content-provider server 3 is then compared against each of theentries in the client-database 16 having an artificial IP address. Ifthe domain name, URL or part URL of the content provider server 3appears in the client database 16, a suitable warning is provided 25.Alternatively, the comparison of domain names, URL or part URL may becarried out before the comparison of IP addresses. By storing the domainname, URL or part URL of content provider servers 3 that employfrequently-changing IP addresses, the server authentication application15 is still able to identify fraudulent content providers.

In the most preferred arrangement, the server-authentication application15 also guards against IP-address spoofing when the IP address, havingbeen checked, may appear on the authenticated client-database 17 or onneither of the authenticated and non-authenticated client-databases16,17, and yet the content-data (e.g. webpage data) may still emanatefrom a fraudulent source. A sophisticated fraudster can configure acontent-provider server 3 to send content-data that appears to emanatefrom a different IP address to the one it actually does come from. Toovercome this, in the most preferred arrangement, when the check carriedout at 24 shows either that the IP address of the active window appearson the client database of authenticated IP addresses 17, or that the IPaddress of the active window does not appear on either of theclient-databases 16, 17, and so could still possibly be a legitimatesite, a further short routine is performed, as illustrated in FIG. 7.

The apparently authenticated IP address or the IP address that does notappear on either client-database 16 or 17 is substituted at step 40 forthe hostname portion of the URL, and a request for the content-data ofthe URL is sent. Thus, for example, if the web-browser receivescontent-data (e.g. a webpage data) claiming to be fromwww.mybank.com/customer/data/home.html and the server-authenticationapplication 15 ascertains at 23 in the flow diagram of FIG. 4 that theIP address of www.mybank.com is, say, 123.456.789.100, then at step 40the server-authentication application 15 sends a request for thecontent-data of http://123.456.789.100/customer/datalhome.html. The sameor similar content-data should be returned. If it is, at step 41, thenthe implication 42 is that the site is likely to be legitimate and thendepending upon whether the IP address appears in the client-database ofauthenticated IP addresses 17 or does not appear in eitherclient-database 16, 17, the “OK to proceed” indication 26 or the“Proceed with caution” indication 27 will be displayed.

However, if different content-data is provided (Le. if the webpageappears different) as a result of the resending request 40 as indicatedat 43, or if no reply is provided 44, then the server-authenticationapplication 15 draws the implication at step 45 that thecontent-provider server 3 is likely to be illegitimate, notwithstandingthat the original apparently derived IP address at step 23 may haveindicated an IP address that appeared on the authenticatedclient-database 17 (or did not appear on either client-database 16, 17and so could possibly be legitimate). Accordingly, in event 45, ratherthan displaying either the “OK to proceed” indication 26 or the “Proceedwith caution” indication 27, the clear “Warning” indication 25 isdisplayed.

Additionally, or alternatively, the server-authentication server 15 mayalert the user to spoofing by displaying the actual hostname or URL, aswell as the IP address, of the content-data or content-provider server 3such that the user can immediately identify whether the actual hostnameor URL corresponds to that which appears in the active window.

In the above-described embodiment, the server-authentication application15 receives (e.g. downloads) from the security server 4 the entiredatabase of non-authenticated IP addresses 6 and also the entiredatabase of authenticated IP addresses 7. As the number of subscribersto the service provided by the security server 4 increases, the size ofthe authenticated database 7 will naturally increase. With sufficientnumbers of subscribers, the size of the authenticated database 7 maybecome excessively large such that too much time is spent by the clientcomputer 1 in receiving the database 7. Moreover, it is unlikely that auser will download content-data from each and every one of thesubscribers having IP addresses stored in the database 7.

Accordingly, in an alternative embodiment as illustrated in FIG. 8, thedatabase of authenticated IP addresses 7 comprises a plurality offragments 18, each fragment 18 corresponding to a particular domain 19and storing IP address 8 associated with the domain 19. Relatedinformation 9, such as the date on which the fragment was created, thesubscriber that provided the fragment, URL links etc., may again beadditionally stored, with each fragment 18 having respective relatedinformation 9.

The database of non-authenticated IP addresses 6, like that of theauthenticated database 7, may also comprise a plurality of fragments 18,each fragment 18 corresponding to a particular domain 19 and storing IPaddress 8. Preferably, each fragment 18 comprises both a list ofnon-authenticated IP addresses and a list of authenticated IP addresses8. Consequently, a content-provider is able to provide a fragment 18that stipulates which sites (i.e. IP addresses) it considers to begenuine and which sites is considers to be fraudulent. When the fragment18 is received (e.g. downloaded) by the server-authenticationapplication 15, the relevant portions of the fragment (e.g. the lists ofnon-authenticated and authenticated IP addresses) are extracted andadded to the client databases 16, 17.

In this alternative embodiment, the server-authentication application 15includes instructions to determine the hostname of the URL of the activewindow. The application 15 then compares the hostname against theclient-database of authenticated IP addresses 17. If a fragmentcorresponding to the hostname is found in the client-database 17, the IPaddress of the hostname is resolved and compared against the IPaddresses listed for that fragment, in the manner described above.

If, however, no fragment 18 corresponding to the hostname can be foundin the client-database of authenticated IP addresses 17 (e.g. if nofragments having the same domain as that of the hostname are found),then preferably a similar search is made of the server database ofauthenticated IP addresses 7. In particular, the server-authenticationapplication 15 establishes a connection with the security server 4 andcompares the hostname of the content-provider server 3 against theserver-database fragments. If a fragment 18 corresponding to thehostname is found in the server-database of authenticated IP addresses7, the relevant fragment is delivered to the client computer 1. The IPaddress of the hostname is then resolved and compared against the IPaddresses listed in the fragment, in the manner described above. Thereceived fragment is then added to the existing client-database 17 forfuture use. If no fragment 18 corresponding to the hostname of thecontent-provider server 3 can be found in the server-database fragments,the server-authentication application 15 provides as an indication (e.g.the “Proceed with caution”) that the authenticity of thecontent-provider server 3 could not be verified.

Rather than comparing the hostname of the active window URL againstfragments of the client-database 17, the client computer 1 mayalternatively store a database of visited servers in memory 13. Thedatabase of visited servers stores a list of hostnames ofcontent-provider servers 3 that have previously been accessed by theclient computer 1, or alternatively a list of domains ofcontent-provider servers 3 that have been accessed. The hostname of theURL is then compared against the database of visited servers. If a matchis found, the IP address of the hostname is resolve and compared againstthe IP addresses listed in the clientdatabase 17 in the manner describedabove. If, however, a match is not found, then the hostname is added tothe database of visited servers by the server-authentication application15. The application 15 then establishes a connection with the securityserver 4 and compares the hostname against the server-database ofauthenticated IP addresses 7. If a fragment 18 corresponding to thehostname is found in the server-database of authenticated IP addresses7, the relevant fragment is delivered to the client computer 1 whereuponthe received fragment is added to the existing client-database 17. TheIP address of the hostname is then resolved and compared against the IPaddresses listed in the client-database 17 in the manner describedabove.

Where the client-database of authenticated IP addresses 17 is stored asfragments 18, it is possible for the authenticated client-database 17 tobecome outdated. For example, once the fragment for ‘onlinebank.com’ isadded to the client-database 17, is it possible for theserver-authentication application 15 to re-authenticate the site‘onlinebank.com’ at a later date without having to rely upon thesecurity server 4. In order to prevent the authenticated client-database17 from becoming outdated, the server-authentication application 15 mayperiodically refresh fragments 18 and retrieve once again the fragments18 from the security server 4. The related-information 9 associated witheach fragment may include a creation or expiry date, which is used bythe server-authentication application 15 to determine when to refreshthe fragment or, alternatively, delete the fragment from theclient-database 17. Similarly, where the client computer 1 stores adatabase of visited servers, each entry in the database may include acreation or expiry date, which is again used by theserver-authentication application 15 to determine when to refresh theentry and corresponding fragment or, alternatively, delete the entryfrom the database.

In a further embodiment, fragments 18 associated with a particulardomain may be stored on a content-provider server 3 of a subscriber. Forexample, the fragment for ‘onlinbank.com’ may be stored on a serverprovided by OnlineBank in addition to or rather than the security server4. In this embodiment, the server-authentication application 15 thenreceives the relevant fragment from the content-provider server 3 ratherthan the security server 4. Preferably, the relevant fragment isreceived (e.g. downloaded) from the content-provider server 3 inresponse to the client computer 1 requesting content-data from thecontent-provider server 3, e.g. when attempting to view webpage data.Similarly, the database of non-authenticated IP addresses 6 may beadditionally or exclusively stored on a server of an assuredorganization. Indeed, the server-authentication application 15 maypresent the user with the option of receiving (e.g. downloading)fragments/databases exclusively from the security server 4 oradditionally from the server of the relevantcontent-provider/organization if the fragment/database is unavailablefrom security server 4.

Although each fragment 18 may comprise a list of non-authenticated IPaddresses in addition to a list of authenticated IP addresses 8, thefragment 18 and therefore the list of non-authenticated IP addresseslist is obtained only after receiving (e.g. downloading) the fragmentfrom the content-provider server 3. It is therefore possible that theclient-database of non-authenticated IP addresses 16 will not includeinformation on known fraudulent sites until such time as thecontent-provider server 3 has been visited and the fragment 18 obtained.Accordingly, the server-authentication application 15 preferably alsoreceives from the security server 4, or other assured organization, thedatabase of non-authenticated IP addresses 6 at regular intervals inaddition to any fragments that may have been received. Rather thanreceiving the entire database 6, the server-authentication application15 may check regularly for updates that become available. As alreadynoted, the server-authentication application 15 preferably provides theuser with the opportunity to receive a new, updated or refresheddatabase 6 from the security server 4 at periodic intervals.

The databases 6,7, as well as any fragments 18, are preferably encryptedusing a proprietary 256-bit encryption having keys derived from thedomain name of the server 3,4 storing the database 6, 7 or fragment 18and the domain name from which the database 6,7 or fragment 18 isreceived by the server-authentication application 15. Accordingly, theserver authentication application 15, upon decrypting the receiveddatabases 16, 17 or fragments 18, is able to determine whether thedatabases 16, 17 or fragments were received from the correct source andthat the data contained therein is self-consistent. Additionally, in thecase of fragments 18, the server-authentication application 15 is ableto determine that the received fragment contains informationcorresponding to the correct domain. Even if a fraudster were todownload an encrypted database 6, 7 or fragment 18 and, with significantcomputing power, decrypt the database 6, 7 or fragment 18 with theintention of inserting false IP addresses, the fraudster would not knowthe relevant key to re-encrypt the database 6, 7, or fragment 18 inorder to, for example, place the fake encrypted database 6, 7 orfragment 18 on a spoof server. Encryption therefore prevents a spoofsite creating an apparently, valid database 6, 7, or fragment 18.

In addition to encrypting the contents of the fragments 18, the filenameof each fragment 18 may also be encrypted. For example, the fragment 18corresponding to the domain 19 onlinebank.com may be stored on thesecurity server 4 or a specific content-provider server 3 as a filecalled hqofmnn9hc64pxvk.xml, which has no apparent relation to theactual domain name. The filename of the fragment 18 is preferablyencrypted using a first key based upon the domain 19 to which thefragment 18 relates (e.g. onlinebank.com) and a second key based uponthe domain of the security server 4 or the specific content-providerserver 3. The filename of the fragment 18 will therefore be differentwhen stored on different servers. In order to retrieve a fragment 18,the server-authentication application 15 first resolves the fragmentfilename using the domain 19 to which the fragment 18 relates and thedomain of the server 3, 4 storing the fragment 18. Theserver-authentication application 15 then retrieves (e.g. downloads)from the server 3, 4 a file having the resolved filename. Since thefilename of the fragment depends upon the domain of the server storingthe fragment, a fragment copied from a first server to a second server(e.g. from the security server 4 to a fraudulent server) will not befound by the server-authentication application 15.

The server-authentication application 15 may store a history database ofrecently visited sites, i.e. a list of content-provider servers 3 fromwhich content data has recently been retrieved by the client computer 1.By way of example, the history database may include a list of allcontent-provider servers 3 that have been visited in the last month.When the server-authentication application 15 is idle, the application15 may retrieve fragments 18 corresponding to those content-providerservers 3 that are listed in the history database. In this manner, thefragments 18 of content-provider servers 3 that are likely to berevisited are kept up-to-date such that no noticeable delay is observedby the server-authentication application 15 when the content-providerservers 3 are revisited. The history database preferably includesinformation regarding the date and/or time on which the fragment 18corresponding to a particular content-provider server 3 was lastretrieved or updated. The server-authentication application 15 thenretrieves only those fragments 18 where the authenticity of the fragment18 has timed-expired.

The server-authentication application 15, which is the softwarenecessary to configure a client computer 1 to operate in the mannerdescribed above and to provide security against phishing over thecommunications network 5, may be provided as a single computer programor suite of computer programs, which may be provided on acomputer-readable data storage device, such as a floppy disk or aCD/DVD. Alternatively, the computer program or suite of computerprograms may be made available for download over the communicationnetwork 5 from the security server 4 (see FIG. 1), or from a trustedcontent-provider server 3, such as a bank, licensed to provide thesoftware.

To prevent fraudsters spoofing the server-authentication software, theuser is requested to enter a unique identifier upon installing thesoftware. The unique identifier entered by the user is then encrypted,preferably using a key particular to the user's copy of the serverauthentication software, and stored (e.g. as a file) in the memory 13 ofthe client computer 1. The server-authentication application 15, whenexecuted, decrypts and displays the unique identifier on the VDU 12,e.g. on the title bar of the server-authentication application 15. Ifthe server-authentication software were to be replaced (e.g. by afraudulent copy), the encryption key would be unknown and accordingly anincorrect unique identifier would be displayed by the application 15 onthe VDU. Accordingly, the user is provided with an indication if theserver-authentication software has been changed.

Banks, financial institutions and other e-commerce or similarcontent-providers which provide services and/or information over theInternet and which rely upon user-authorization data (e.g. personaldetails of a user) or wish to assure users of the validity of theirwebpages and any information thereby conveyed may register their IPaddresses with the provider of the security server 4 to be included inthe database 7 of authenticated IP addresses.

Provision may also be made for users themselves to enter frequently usedwebsites, by their URLs converted into IP addresses, or by the IPaddresses themselves, into the authenticated client-database 17maintained on the client computer 1 so as to avoid unnecessary “Caution”warnings being displayed simply because the content-provider of anotherwise legitimate website may choose not to subscribe to the serviceprovided by the security server 4.

Although the invention has been described hereinabove in terms ofdatabases being stored on a client computer 1 both for authenticated IPaddresses 17 and for non-authenticated IP addresses 16, and thesedatabases being used to determine whether the IP address of a particularwebsite appeared on one of these two databases or on neither, withappropriate messages or other indications being conveyed to the user ineach of these three circumstances, this is not always necessary.

For example, only a database of authenticated IP addresses 17 may bestored, and in that case, the server-authentication application 15 isonly able to give assurance that a website may be trusted when its IPaddress is found in that database (and, if the check against addressspoofing feature is included, the address is additionally shown not tohave been spoofed). Equally well, only a database of non-authenticatedIP addresses 16 may be stored, and in that case, theserver-authentication application 15 is only able to give a clear dangerwarning when the IP address of a particular website appears in thisdatabase or (if the check against address spoofing feature is alsoincluded) if the address is shown to have been spoofed.

It should be appreciated and understood that the above descriptions ofauthenticating a content-server provider by the client computer can alsobe performed by the server. According to a further embodiment, contentincluding but not limited to email messages, instant messages, chatmessages, documents, webpages, and link data can be filtered at theserver before being communicated to the client computer or before beingdisplayed to an end user on the client computer.

For instance, a server or server component can determine a domain nameof the content-provider server (e.g., website, email (sender) server).The server or server component can also request data from thecontent-provider server in order to obtain a fragment of a database ofIP addresses. The data can include, but is not limited to, at least onefragment of a database of IP addresses. The fragment corresponds to thedomain name of the content-provider server and one or more IP addressesassociated with the domain name. Thereafter, the server or servercomponent can compare the IP address of the content-provider serveragainst the IP addresses of the fragment and provide an indication thatthe IP address of the content-provider server is included or excludedfrom the IP addresses of the fragment.

The server or server component can also determine whether data from thecontent-provider server has been previously requested. If it has beenreceived within a pre-determined time indicating validity of the data,the server or server component can access one or more of its databasesor memory stores to obtain the information. Otherwise, the fragment canbe obtained if the request for such data has not already been submittedto the content-provider server.

According to this embodiment, the client computer is not tasked withdetermining whether the content is from an authenticated,non-authenticated, or unknown source, nor is the end user exposed topotentially damaging information (e.g., spam, phishing messages,viruses, etc.). Rather, this determination is made at the server leveland by the server, thereby affording additional protection to the clientcomputer as well as to the end user, which in some cases may be desired.In addition, the end user is not necessarily tasked with choosingwhether to view or download content from a server that is notauthenticated or that is unknown (neither authenticated nornon-authenticated), as this decision can be burdensome to some userssince making a bad decision may have significant impact to the user'scomputer as well as to the server and other connected client computers.However, it should be appreciated that the end user can request to beinformed when content from a content-provider is blocked.

In practice, for example, suppose that an email message has been “sent”to user Q. Before user Q receives the message in his email clientmailbox, the server determines whether the email contains links to atrusted source (e.g., authenticated content-provider server/IP address)or non-trusted source in a manner as described above. This evaluationcan be performed in part through the use of server-based databases(e.g., server-authenticated databases), independent of client-maintaineddatabases.

Moreover, server-authenticated and -non-authenticated databases can bemaintained, updated, and employed—at or by the server—to determinewhether a content-provider server is authenticated, non-authenticated,or neither without requiring a similar authentication performance by theclient computer. As a result, a server that receives messages sent touser Q can essentially filter such content on a server side before anymessages are delivered to the user Q.

Similarly, suppose user Q enters a request via the client computer toaccess content such as a website or other content on a network (e.g.,content-provider server). The request is communicated to the client'sserver(s) and from there, the server performs the process in which thecontent-provider server is determined to be authenticated,non-authenticated, or neither. Upon making this determination, theserver may have a protocol in place to decide whether to permit accessto the content-provider server. In the alternative or in addition, theserver can communicate the result to the client computer and allow theend user to make the decision based on the server's analysis.

Furthermore, such content and source authentication can be done on theclient side but before any content from the content-provider server isdisplayed on the client computer for user viewing—such as on a visualdisplay unit. In some instances, the client computer or the server maybe busy processing other items. Therefore, the authentication process ofthe content-provider server can switch between the server and the clientcomputer depending on the existing processing loads of the server andclient. For example, if the client computer cannot perform theauthentication process, it can request or automatically inform theserver to perform the process. Likewise, if the server cannot performthe authentication process due to a technical problem or otherwise, theserver can signal or instruct the client computer to perform it. Thisswitching of content-provider server authentication can be take placeseamlessly and automatically and be completely invisible to the enduser.

The systems and methods above facilitate protecting users from receivingbad or otherwise harmful data. However, a similar problem that is oftenignored or missed is that sensitive or personal user data generated atthe client computer is often communicated to the server unbeknownst tothe user. This has been termed identity profiling. Identity profiling toproduce, amongst other things, targeted advertising is a growing featureof internet usage. Identity profiling is similar to identity theft inthe way that it collects personal and possibly confidential informationabout an individual without their specific consent or permission. Itthen uses this information to target an individual with relevant e-mailsor advertising which supposedly will have a greater influence thangeneral advertising. This can be contrasted with identity theft whichuses information about an individual for fraudulent purposes. Identityprofiling has moral implications that many are questioning.

There are products now available that internet service providers (ISPs)are starting to implement which monitor browser usage either directly orthrough search engines and then input targeted advertising according tothe usage of the individual. As a simple example, entered into a searchengine could be a search for ‘sports car’. The ‘sports car’ search inputcould produce advertisements for car dealers selling sports cars in thesponsored links section of the page. Privacy concerns are magnified forusers when their complete internet usage is being monitored, not justrandom searches. Extrapolating the principle on a much larger and morerealistic scale of monitoring, users have no knowledge of and do notknow how the data will be used, moral or otherwise. The search for the‘sports car’ followed by the ‘coincidental’ cold call or e-mail from acar dealer and then the similar call from an insurance agent suggests apossible manipulation of a user's browsing activity down certainchannels without that user necessarily being aware of the manipulation.

Identity profiling on the internet has been likened to an Internet-freeworld where all your mail is being opened and read by a third party todetermine what you are doing, followed by the insertion of additionalmail so as to guide you down certain commercial paths. Similarly,imagine individuals being followed around when shopping, with all theirpurchases being recorded, and then being approached with alternativeproducts. If the above examples were in fact happening in everyday life,civil liberties would be considered violated and very few would find itacceptable, but in an internet world it is not as obvious to see thecause and effect of such intrusive practices.

One solution to this problem is to give the ISPs that are monitoringusage large amounts of additional information such that the ‘real’profile information of the individual is lost or obscured in the ‘whitenoise’ which is being generated independently of the individual but bysoftware on the individual's computer. For example, a software systemtool can generate browser requests to URLs without intervention of auser so as to mimic or appear to be produced by the user. Put anotherway, imagine a scenario where a typical user is browsing various webpages, clicking through to interior pages and sitting on some for longerperiods of time than others or jumping to sites that are unrelated or atleast somewhat related relatively quickly and then sitting on a page forawhile.

Although, there is no correct or incorrect way to browse the Internet,the generated browser requests to URLs can mimic real browsing behaviorof a user. This can be accomplished in part by employing a variety ofbrowsing behaviors such as clicking from site to site, staying only on asite briefly and then landing on a site and even clicking through tointerior pages and staying on the same site as if the user foundsomething of interest. Instead of communicating the real browserrequests to the real URLs that a user visits, the subject system ormethod can generate “fake” browser requests. The fake or generatedbrowser requests can be made by choosing from various URLs (that doexist) but that when analyzed collectively to determine the user'spreferred subjects, topics, favorites, or other real browsing patternsfor the user, no such “profile”, browsing pattern, or user preferencescan be discerned. Thus, few if any targeted advertisements can besuccessfully chosen and sent to the user.

The mimicking of real browser behavior is performed by creating aneutral profile without any indication as to what “profile” the user maysubscribe. For example, if a college student's browsing habits couldidentify them as a student, then this data must be lost or hidden withinthe generated browsing requests so that no identity profile can beaccurately established for the user. In particular, the subject systemor method can effectively “hide” real user data by masking it with aproportionally greater amount of generated browsing data (browsingrequests). For instance, the number of generated browsing requests canbe based on a factor (e.g., a factor of 10 or some other integer greaterthan 1) of a relative amount of real data communicated to the server. Bydoing so, the real user data is essentially lost amongst the generateduser data.

The generated browsing activity can include a multitude of URLs, forinstance, that the targeted advertising system cannot understand, orthat would essentially make it difficult for the targeted advertisingsystem to determine which targeted advertisements to send to the user.As a result of confusing the targeted advertising system with “whitenoise” or cluttered URL data, a substantial portion of the user'spersonal browsing activity is not shared. Even more so, the user is notinundated with either relevant or irrelevant targeted ads.

Several parameters can be considered and programmed so that serversoftware cannot readily detect the use of such a software system tool,which jams any detection of targeted advertising with sufficientgenerated fake user data such that the real data generated by the useris only a small percentage of the data collected.

-   -   The browser request can contain the same header as a real        request generated by a browser installed on the client computer.    -   The URL can be either generated at random from examination of a        DNS server, or from a supplied list of non-discriminating,        non-descript, or non-distinct web sites, or a combination        thereof, or other techniques.    -   Specific words can also be sent to search engines that perform        identity profiling.    -   Once a URL request has been generated further links from within        that web page may be generated to simulate a user interest in        the web page.    -   The time between requests is randomly generated from between a        few seconds and several minutes, to simulate real user        intervention or browsing.    -   The requests can run in the background and interspersed with the        user's real browser requests, although the process would not        take bandwidth from the user, hence it can have a lower priority        than real usage.    -   The software system tool can be aware of the number of real        requests generated by the user and then can determine how many        false requests to generate so as to make the real data        insignificant compared to the ‘white noise’ generated to jam the        data collection process.

For example, though not illustrated in the figures, the browsing systemtool can include a plurality of components to facilitate jamming thedata collection process performed by targeted advertising systems ormethods. The software system tool can form a database of websites orURLs that are non-discriminating, generic, non-descript, and/ornon-distinct meaning that these websites are geared toward the massesand that knowing that a user has been to one or more of these websitedoes not provide any interesting or helpful information about the userfor targeted advertising purposes. As the user is browsing the internet,the system tool can collect URL data in at least one of two ways.

In the first, a browser request generation component can collect URLdata for the user by selecting a URL from the white noise database eachtime the user goes to a different URL. This means that the time the userspends at each URL is copied or mimicked but the actual URL visited bythe user is replaced with another specifically or randomly selected URL(from the database).

In the second, the browser request generation component can select URLsfrom the database and based on a time scheme that is appropriate for thetype of user or user profile type. It should be appreciated that anInternet search engine can scan or monitor the Internet for suchwebsites that are appropriate to produce URL data clutter (white noise)to hinder targeted advertising efforts and then add them to or replaceolder or out of date URL data in the database. It should be furtherappreciated that the tool can be turned off or on as desired by theuser.

When used in this specification and claims, the terms “comprises” and“comprising” and variations thereof mean that the specified features,steps, or integers are included. The terms are not to be interpreted toexclude the presence of other features, steps, or components.

The features disclosed in the foregoing description, or the followingclaims, or the accompanying drawings, expressed in their specific formsor in terms of a means for performing the disclosed function, or amethod or process for attaining the disclosed result, as appropriate,may, separately, or in any combination of such features, be utilized forrealizing the invention in diverse forms thereof.

When used in this specification and claims, the terms “comprises” and“comprising” and variations thereof mean that the specified features,steps or integers are included. The terms are not to be interpreted toexclude the presence of other features, steps, or components.

The features disclosed in the foregoing description, or the followingclaims, or the accompanying drawings, expressed in their specific formsor in terms of a means for performing the disclosed function, or amethod or process for attaining the disclosed result, as appropriate,may, separately, or in any combination of such features, be utilized forrealizing the invention in diverse forms thereof.

1. A server that is in communication with a content-provider server viaa communication network, wherein the server performs an authenticationmethod comprising: determining a domain name of the content-providerserver; obtaining a fragment of a database of IP addresses, wherein thefragment corresponds to the domain name of the content-provider serverand a store of one or more IP addresses associated with the domain name;comparing the IP address of the content-provider server against the IPaddresses of the fragment; and providing an indication that the IPaddress of the content-provider server is included or excluded from theIP addresses of the fragment.
 2. The server according to claim 1,wherein the method further comprises communicating content from thecontent-provider server to a client computer in communication with theserver when the IP address of the content-provider server is included orexcluded from the IP addresses of the fragment.
 3. The server accordingto claim 1, wherein the server performs the authentication method beforeserving content from the content-provider server to the client computer.4. The server according to claim 1, wherein the method furthercomprises: receiving a request to access content from a content-providerserver wherein the request originates from a client computer; andproviding access to the content from the content-provider server by theclient computer when the server indicates that the IP address of thecontent-provider server is included or excluded in the fragment.
 5. Theserver according to claim 1, wherein the method further comprisesrequesting data from the content-provider server and obtaining thefragment in response to the request for the data from thecontent-provider server.
 6. The server according to claim 1, wherein themethod further comprises: determining whether data from thecontent-provider server has been previously requested and obtained;requesting the data from the content-provider server if the data has notbeen previously requested or obtained; and obtaining the data from thecontent-provider server when the data has not been previously obtainedor requested.
 7. The server of claim 1, wherein the content comprises atleast one of email messages, instant messages, chat messages, documents,files, webpages, website data, and link data.
 8. A method thatfacilitates authentication of a content-provider server by a server on aserver side comprising: filtering content from being served to a clientcomputer when the IP address of the content-provider server is excludedfrom the IP addresses of a fragment, wherein the filtering comprises:determining a domain name of the content-provider server; obtaining afragment of a database of IP addresses, wherein the fragment correspondsto the domain name of the content-provider server and a store of one ormore IP addresses associated with the domain name; comparing the IPaddress of the content-provider server against the IP addresses of thefragment; and providing an indication that the IP address of thecontent-provider server is included or excluded from the IP addresses ofthe fragment.
 9. The method of claim 8, wherein filtering the contentfrom being served to the client computer comprises preventing thecontent from being communicated or accessed by the client computer,wherein the content comprises at least one of email messages, instantmessages, chat messages, documents, files, webpages, website data, andlink data.
 10. The method of claim 8 further comprising afterdetermining that the IP address of the content-provider server isincluded in the IP addresses of the fragment, serving the content fromthe content-provider server to the client computer and displaying atleast a subset of the content on a visual display unit of the clientcomputer.
 11. The method of claim 8 further comprising after determiningthat the IP address of the content-provider server is excluded from theIP addresses of the fragment, serving the content from thecontent-provider server to the client computer and displaying at least asubset of the content on a visual display unit of the client computer.12. A method that facilitates authentication of a content-providerserver by at least one of a server on a server side or a client computercomprising: filtering content from being viewable on a client computerwhen the IP address of the content-provider server is excluded from theIP addresses of a fragment, wherein the filtering comprises: determininga domain name of the content-provider server; obtaining a fragment of adatabase of IP addresses, wherein the fragment corresponds to the domainname of the content-provider server and a store of one or more IPaddresses associated with the domain name; comparing the IP address ofthe content-provider server against the IP addresses of the fragment;and providing an indication that the IP address of the content-providerserver is included or excluded from the IP addresses of the fragment.13. The method of claim 12 further comprising displaying the contentfrom the content-provider server on the client computer afterdetermining that the IP address of the content-provider server isincluded or excluded from the IP addresses of the fragment.
 14. Themethod of claim 12 further comprising displaying the content from thecontent-provider server on the client computer after determining thatthe IP address of the content-provider server is included in the IPaddresses of the fragment.
 15. The method of claim 12 is performed on orby the client computer, wherein the content is unviewable on the clientcomputer until a determination is made that the IP address of thecontent-provider server is included or excluded from the IP addresses ofthe fragment.
 16. The method of claim 12 is performed on or by theclient computer, wherein the content is unviewable on the clientcomputer until a determination is made that the IP address of thecontent-provider server is included in the IP addresses of the fragment.17. The method of claim 12 is performed on or by the server wherein thecontent is unviewable on the client computer until a determination ismade that the IP address of the content-provider server is included orexcluded from the IP addresses of the fragment.
 18. The method of claim12 is performed on or by the server wherein the content is unviewable onthe client computer until a determination is made that the IP address ofthe content-provider server is included in the IP addresses of thefragment.
 19. A secured browsing system that mitigates personal datacommunicated to a server comprising: a browser request generationcomponent that generates browser requests to one or more URLs withoutintervention of a user so as to appear to be produced by the user,thereby generating false browsing activity; and a white noise databasethat stores a plurality of the URLs that, when selected, are included ina browser request without intervention from the user.
 20. The system ofclaim 19, wherein the browser request generation component selects abrowsing behavior to apparently mimic for a user based in part onuser-provided data.
 21. The system of claim 19, wherein the browserrequests are based at least in part on browsing activity of the user andcomprise a small portion of real user browsing activity, such that thesmall portion is insubstantial enough to mitigate generating at leastone of the following: targeted advertisements and other unsolicitedadvertising to the user.
 22. The system of claim 19, wherein the falsebrowsing activity comprises one or more URLs that a targeted advertisingsystem cannot understand to make it difficult for the targetedadvertising system to determine which targeted advertisements to send tothe user.
 23. The system of claim 19, wherein the browser requestcomprises the same header as a real request generated by a browserinstalled on a client computer.
 24. The system of claim 19, wherein oneor more of the URLs as stored in the white noise database are generatedat random from at least one of the following: examination of a DNSserver, a supplied list of non-discriminating, non-descript, andnon-distinct web sites, or a combination thereof.
 25. The system ofclaim 19, wherein once the browser request comprising the one or moreURLs has been generated, one or more additional links from within awebsite corresponding to the one or more URLs may be generated tosimulate user interest in a web page on the website.
 26. The system ofclaim 19, wherein time between communications of browser requests to theserver is randomly generated from between a few seconds and severalminutes to simulate real user browsing times.
 27. The system of claim19, wherein the browser generation component is made aware of a quantityof real browser requests generated by the user and determines how manyfalse browser requests to generate so as to make the real datainsignificant compared to the false browser activity generated tofacilitate jamming a data collection process for targeted advertising.